Palin E-mail Hack Could Easily Have Been Avoided, Experts Say
News of the Yahoo e-mail hack came to light Wednesday when a blogger identified as "rubico" posted a message to the 4chan's forum /b/ board claiming that he had hacked into Palin's Yahoo account by using the password reset feature. In the posting, the blogger stated that he had deduced the answers to Palin's Yahoo e-mail security questions, such as her zip code, date of birth, and where she met her husband, from simple Internet searches. Determining the answers to her security questions, allowed the hacker to reset her password to "popcorn" and subsequently access her account.
Since then, a Tennessee state legislator told the Tennessean newspaper of Nashville, Thursday that his 20-year-old son David Kernell had been mentioned on the 4chan blog, which speculated that Kernell was the Palin e-mail hacker. Tennessee State Rep. Mike Kernell, a Democrat representing southeast Memphis and the University of Memphis, did not, however, confirm that his son was the hacker and declined further comment, the Tennessean reported.
Security experts said that the simple hack stemmed from fundamental problems with a public e-mail security that is reliant on passwords. In order to reset a password, many public e-mail service providers rely on security questions with answers that are a matter of public record or which can be found on the Internet.
"When you ask for information that is public, it's going to be out there. People can figure that out," said Ryan Barnett, director of application security at Breach Security.
Barnett said that the Palin e-mail hack underscores the need for providers like Yahoo and Gmail to beef up security protocol with more complicated questions in order for users to reset their passwords.
Additionally, Barnett said that providers need to confirm an alternate channel with users that would allow them to reset passwords when they're creating an e-mail account, such as a secondary e-mail address. Other password recovery implementations could include some type of IP address authentication for someone changing the password from a computer other than those of the user, he said.
Meanwhile, others maintain that the e-mail security problems transcend simple password protocol. Phillip Dunkelberger, CEO of PGP Corp., said that while public e-mail carriers guarantee that transactions are safe, the e-mail content is stored in a database that can be "read like a postcard."
For e-mail to be completely secure, the messages need to be encrypted when stored at rest, as well as in motion, he said. "(Public e-mail) is encrypted in a tunnel, but when it pops out the other end on the server, it's stored unencrypted," said Dunkelberger. "If you don't want to shout around the world, you want to whisper, you need to use encryption. Then it doesn't store it in plain text but in a sealed package that only you can open."
Steven Sprague, president and CEO of Wave Systems, said that ultimately, keeping e-mail secure would be incumbent upon companies like Yahoo. Sprague said that one way of ensuring the identity of the e-mail user would be for ISPs to update their technology to support security chips incorporated into many PCs. Those security chips are designed to verify the authenticity of the e-mail account owner. Sprague said that alrready more than 250 million PCs come equipped with standard security chips.
"It's now getting to be a big enough number so that we as users should start asking the question, 'When can I get an e-mail system that uses security installed in my box?'" said Sprague. "We should take advantage of industry standard solution. It free, universal, its vendor neutral and it's available to all of us."
However, Graham Cluley, senior technology consultant for Sophos, said that one of the most immediate, if not simplest solutions to e-mail security would be to make up an answer that can't be found on the Internet when prompted by the password security questions.
"If you are going to use something like a Web e-mail account, don't tell it the truth," said Cluley. "We're such rule followers, if a Website asks us some information, most of us will answer truthfully."
Cluley said that while most people are conditioned to tell the truth, the practice can ultimately endanger them in cyberspace.
"People fill (security questions) in without a second thought," he said. "Unfortunately that can lead to a security nightmare."